If you’re leading a horse to water, make sure it drinks.
March's edition of the ORX Association podcast discussed their recent survey on the difficulties firms encounter when implementing Operational Risk Management frameworks.
The survey results fed down into four key challenges:
The first challenge links directly to the findings of our third-party risk management reviews.
In particular, a key challenge for firms is defining clear roles and responsibilities to create first line supplier risk management accountability. We often find that the robust risk assessment that takes place in supplier onboarding, doesn’t carry through to BAU first line assurance during the rest of the supplier lifecycle.
A Gartner study suggests that firms need to reassess how they invest in supplier risk management. They found that three-quarters of investment dollars focus on supplier due diligence and onboarding with only 27% set aside for risk identification throughout the relationship. The same study found that 90% of material supplier risks where not considered identifiable through current due diligence activities.
This final point highlights the importance of developing mature risk management capability in the first line to support the firms’ wider risk management efforts and responsibilities.
In contrast, we usually find that 1LOD Supplier Relationship owners focus exclusively on supplier performance against operational targets and don’t consider supplier risks. This leads to second line experiencing tension as they try to enforce the policy and framework and seek evidence of risk identification, management, and assurance. With first line not meeting the policy requirements or operating controls effectively, second line is forced to step in to review their own work, rendering the framework, controls, and governance as ineffective through a lack of independent oversight.
Referring back to the podcast, ORX used a worked example of the PRA's fine of MS Amlin from late 2022.
The PRA’s summary shows how siloed working and poor oversight created an ineffective operational risk approach.
To meet governance and oversight expectations we suggest that firms address overarching risk management principles to support programme objectives.
As the PRA’s attention increases around governance and oversight of third parties, we can expect to see further censure of firms who fail to address their supplier risk exposure and supplier resilience.